<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body> <div dir="auto"> <div>Agree. I will make needed changes to remove CounterId parameter.</div> <div dir="auto"> </div> <div dir="auto">Regards,</div> <div dir="auto">Nishant <div data-smartmail="gmail_signature" dir="auto">Message sent from Phone.</div> <div class="gmail_extra" dir="auto"> <div class="gmail_quote">On Mar 17, 2020 7:59 PM, "Yao, Jiewen" <jiewen.yao@intel.com> wrote: <blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div> <div> Thanks Nishant. If the platform RPMC driver calls GetRpmcState(), then we should not define it in UEFI, because the variable driver does not have such knowledge. I do see the complexity on the counter management requirement. Current API might be either insufficient or unnecessary. To keep our work simple, l recommend remove CounterAddr from the API, and force BIOS use single counter. It does not have to be 0, the RpmcLib can make decision. But the high level driver does not care. We can revisit when we see more usage. Thank you Yao Jiewen <div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4pt"> <div> <div style="border:none;border-top:solid #e1e1e1 1pt;padding:3pt 0in 0in 0in"> From: Mistry, Nishant C <nishant.c.mistry@intel.com> Sent: Wednesday, March 18, 2020 10:53 AM To: Yao, Jiewen <jiewen.yao@intel.com> Cc: Wang, Jian J <jian.j.wang@intel.com>; devel@edk2.groups.io; Zhang, Chao B <chao.b.zhang@intel.com> Subject: RE: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers </div> </div> <div> <div> My thoughts below ... <div> </div> <div> Regards, </div> <div> Nishant <div> Message sent from Phone. </div> </div> <div> <div> On Mar 17, 2020 7:27 PM, "Yao, Jiewen" <<a href="mailto:jiewen.yao@intel.com">jiewen.yao@intel.com</a>> wrote: <blockquote style="border:none;border-left:solid #cccccc 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"> <div> <div> <a name="BM_BEGIN"></a>Thanks Jian. Some comments and thought. 1) RPMC spec uses CounterAddress as the indicator. Can we use the same name instead of CounterId in the API definition? [Nishant] I agree. CounterId is what CSME has defined thus I asked Jian to go with this name. However, we should use industry spec naming. </div> </div> </blockquote> </div> </div> </div> <div> </div> <div> <div> <div> <blockquote style="border:none;border-left:solid #cccccc 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"> <div> <div> 2) How the caller known which CounterAddress it need to fill? Do we need an API such as GetValidCounterAddress() ?[Nishant] The platform RPMC driver has an GetRpmcStatus() API that indicates how many counters supported as reported by CSME. 3) What is the value to add CounterAddress? Do can we guarantee that 2 drivers use 2 different counter address? Or If 2 drivers may use same counter address, why not remove the counter address parameter at all ? [Nishant] It might be simpler to just use one counter Address (i.e. 0) for UEFI firmware. If there is a customer request in future we can introduce the Counter Address parameter. At this moment I don't see a value add for BIOS. </div> </div> </blockquote> </div> </div> </div> <div> <div> <div> <blockquote style="border:none;border-left:solid #cccccc 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"> <div> <div> Thank you Yao Jiewen > -----Original Message----- > From: Wang, Jian J <<a href="mailto:jian.j.wang@intel.com">jian.j.wang@intel.com</a>> > Sent: Wednesday, March 18, 2020 10:13 AM > To: <a href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a> > Cc: Yao, Jiewen <<a href="mailto:jiewen.yao@intel.com">jiewen.yao@intel.com</a>>; Zhang, Chao B > <<a href="mailto:chao.b.zhang@intel.com">chao.b.zhang@intel.com</a>>; Mistry, Nishant C <<a href="mailto:nishant.c.mistry@intel.com">nishant.c.mistry@intel.com</a>> > Subject: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public > headers > > > v3: update retval description in RpmcLib.h > > REF: <a href="https://bugzilla.tianocore.org/show_bug.cgi?id=2594">https://bugzilla.tianocore.org/show_bug.cgi?id=2594</a> > > RpmcLib.h and VariableKeyLib.h are header files required to access RPMC > device and Key generator from platform. They will be used to ensure the > integrity and confidentiality of NV variables. > > Cc: Jiewen Yao <<a href="mailto:jiewen.yao@intel.com">jiewen.yao@intel.com</a>> > Cc: Chao Zhang <<a href="mailto:chao.b.zhang@intel.com">chao.b.zhang@intel.com</a>> > Cc: Nishant C Mistry <<a href="mailto:nishant.c.mistry@intel.com">nishant.c.mistry@intel.com</a>> > Signed-off-by: Jian J Wang <<a href="mailto:jian.j.wang@intel.com">jian.j.wang@intel.com</a>> > --- > SecurityPkg/Include/Library/RpmcLib.h | 46 +++++++++++++++ > SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++++++ > SecurityPkg/SecurityPkg.dec | 8 +++ > 3 files changed, 113 insertions(+) > create mode 100644 SecurityPkg/Include/Library/RpmcLib.h > create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h > > diff --git a/SecurityPkg/Include/Library/RpmcLib.h > b/SecurityPkg/Include/Library/RpmcLib.h > new file mode 100644 > index 0000000000..f548ad2c9f > --- /dev/null > +++ b/SecurityPkg/Include/Library/RpmcLib.h > @@ -0,0 +1,46 @@ > +/** @file > > + Public definitions for the Replay Protected Monotonic Counter (RPMC) Library. > > + > > +Copyright (c) 2020, Intel Corporation. All rights reserved. > > +SPDX-License-Identifier: BSD-2-Clause-Patent > > + > > +**/ > > + > > +#ifndef _RPMC_LIB_H_ > > +#define _RPMC_LIB_H_ > > + > > +#include <Uefi/UefiBaseType.h> > > + > > +/** > > + Requests the current monotonic counter from the designated RPMC counter. > > + > > + @param[in] CounterId Monotonic Counter Id. > > + @param[out] CounterValue A pointer to a buffer to store the RPMC > value. > > + > > + @retval EFI_SUCCESS The operation completed successfully. > > + @retval EFI_DEVICE_ERROR A device error occurred while attempting > to update the counter. > > + @retval EFI_UNSUPPORTED The operation is un-supported. > > +**/ > > +EFI_STATUS > > +EFIAPI > > +RequestMonotonicCounter ( > > + IN UINT8 CounterId, > > + OUT UINT32 *CounterValue > > + ); > > + > > +/** > > + Increments the designated monotonic counter in the SPI flash device by 1. > > + > > + @param[in] CounterId Monotonic Counter Id. > > + > > + @retval EFI_SUCCESS The operation completed successfully. > > + @retval EFI_DEVICE_ERROR A device error occurred while attempting > to update the counter. > > + @retval EFI_UNSUPPORTED The operation is un-supported. > > +**/ > > +EFI_STATUS > > +EFIAPI > > +IncrementMonotonicCounter ( > > + IN UINT8 CounterId > > + ); > > + > > +#endif > \ No newline at end of file > diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h > b/SecurityPkg/Include/Library/VariableKeyLib.h > new file mode 100644 > index 0000000000..fe642b3d66 > --- /dev/null > +++ b/SecurityPkg/Include/Library/VariableKeyLib.h > @@ -0,0 +1,59 @@ > +/** @file > > + Public definitions for Variable Key Library. > > + > > +Copyright (c) 2020, Intel Corporation. All rights reserved. > > +SPDX-License-Identifier: BSD-2-Clause-Patent > > + > > +**/ > > + > > +#ifndef _VARIABLE_KEY_LIB_H_ > > +#define _VARIABLE_KEY_LIB_H_ > > + > > +#include <Uefi/UefiBaseType.h> > > + > > +/** > > + Retrieves the variable root key. > > + > > + @param[out] VariableRootKey A pointer to pointer for the variable > root key buffer. > > + @param[in,out] VariableRootKeySize The size in bytes of the variable root > key. > > + > > + @retval EFI_SUCCESS The variable root key was returned. > > + @retval EFI_DEVICE_ERROR An error occurred while attempting to get > the variable root key. > > + @retval EFI_ACCESS_DENIED The function was invoked after locking > the key interface. > > + @retval EFI_UNSUPPORTED The variable root key is not supported in > the current boot configuration. > > +**/ > > +EFI_STATUS > > +EFIAPI > > +GetVariableRootKey ( > > + OUT VOID **VariableRootKey, > > + IN OUT UINTN *VariableRootKeySize > > + ); > > + > > +/** > > + Regenerates the variable root key. > > + > > + @retval EFI_SUCCESS The variable root key was regenerated > successfully. > > + @retval EFI_DEVICE_ERROR An error occurred while attempting to > regenerate the root key. > > + @retval EFI_ACCESS_DENIED The function was invoked after locking > the key interface. > > + @retval EFI_UNSUPPORTED Key regeneration is not supported in the > current boot configuration. > > +**/ > > +EFI_STATUS > > +EFIAPI > > +RegenerateKey ( > > + VOID > > + ); > > + > > +/** > > + Locks the regenerate key interface. > > + > > + @retval EFI_SUCCESS The key interface was locked successfully. > > + @retval EFI_UNSUPPORTED Locking the key interface is not supported > in the current boot configuration. > > + @retval Others An error occurred while attempting to lock the > key interface. > > +**/ > > +EFI_STATUS > > +EFIAPI > > +LockKeyInterface ( > > + VOID > > + ); > > + > > +#endif > \ No newline at end of file > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec > index 5335cc5397..2cdfb02cc5 100644 > --- a/SecurityPkg/SecurityPkg.dec > +++ b/SecurityPkg/SecurityPkg.dec > @@ -76,6 +76,14 @@ > # > > TcgStorageOpalLib|Include/Library/TcgStorageOpalLib.h > > > > + ## @libraryclass Provides interfaces to access RPMC device. > > + # > > + RpmcLib|Include/Library/RpmcLib.h > > + > > + ## @libraryclass Provides interfaces to access variable root key. > > + # > > + VariableKeyLib|Include/Library/VariableKeyLib.h > > + > > [Guids] > > ## Security package token space guid. > > # Include/Guid/SecurityPkgTokenSpace.h > > -- > 2.24.0.windows.2 </div> </div> </blockquote> </div> </div> </div> </div> </div> </div> </div> </blockquote> </div> </div> </div> </div> </body> </html> <div width="1" style="color:white;clear:both">_._,_._,_</div> <hr> Groups.io Links: You receive all messages sent to this group. <a target="_blank" href="https://edk2.groups.io/g/devel/message/55972">View/Reply Online (#55972)</a> | | <a target="_blank" href="https://groups.io/mt/72040979/1813853">Mute This Topic</a> | <a href="https://edk2.groups.io/g/devel/post">New Topic</a> <a href="https://edk2.groups.io/g/devel/editsub/1813853">Your Subscription</a> | <a href="mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> | <a href="https://edk2.groups.io/g/devel/unsub">Unsubscribe</a> [edk2-devel-archive@redhat.com] <div width="1" style="color:white;clear:both">_._,_._,_</div>